Avatar

Cisco and Cavium, Inc., a leading provider of semiconductor products that enable secure and intelligent processing for enterprise, data center, cloud, wired and wireless networking, today are announcing that Cisco is integrating Cavium’s LiquidSecurity™ family into the Cisco Cloud Services Platform (CSP) 2100. The CSP 2100 is a Network Functions Virtualization (NFV) turn-key & open x86 Linux Kernel-based Virtual Machine (KVM) software and hardware platform to run both Cisco and 3rd party virtual network services. The CSP 2100 bridges network, server, and security teams by offering several ways to manage and operate the platform. You can manage the platform via a GUI, CLI, REST API, and/or NetConf leveraging Cisco’s Network Services Orchestrator (NSO).

For virtual network services running on the CSP 2100 that require crypto processing and centralized key management, this joint solution enables security features and performance similar to dedicated hardware appliances while providing the benefits of reduced costs and complexity, flexibility, and speed of delivery. With availability in both FIPS and non-FIPS modes, the solution is targeted at both Enterprise and Service Provider markets for a variety of applications in the Cloud, Data Center, Point-of-Presence (POP), Central Office (CO), COLOs, Carrier Neutral Facilities (CNF), WAN Aggregation, DMZ, Core Network, and Server Farms. Example applications include Load Balancers, WAN Accelerators, Web Application Firewalls (WAFs), Routers, Security Gateways and IDS/IPS.

Market Dynamics for Virtual Network Services

Most applications have been virtualized over the past decade, and now the same trend is occurring for network services. With this trend, network services can be deployed and managed much more flexibly in a virtualized environment using x86 computing resources instead of purpose-built dedicated hardware appliances. However, there are challenges that need to be addressed in order to speed up this deployment.

The challenges for deploying virtual network services pertain to the complexity of the software required to enable the virtualized environment, capability of the team to deploy and bring up services, and the lack of hardware performance and features for security. The platform needs to have easy-to-use software and development/deployment tools. The network team needs to have the capability to easily and quickly deploy virtual network services at the pace that the DevOps and server teams need (within minutes). The platform needs to have the required performance for crypto applications (i.e. performance of hardware with the agility of software). Several customer applications highlighted above that run on virtualized infrastructure require high, asymmetric cryptographic performance to match the performance offered by dedicated hardware appliances. Today most of the SSL transactions use 2048-bit RSA key operations that significantly tax x86 CPUs. There is a real need for centralized key operation offload and centralized key management to generate, store and manage keys in a highly secure manner for crypto applications running in a multi-domain cloud data center.

Cisco Cloud Services Platform 2100

Cisco Cloud Services Platform (CSP) 2100 is an NFV turn-key, open x86 Linux Kernel-based Virtual Machine (KVM) software and hardware platform for both Enterprise and Service Provider environments with 100 or fewer nodes per site. The platform enables users to quickly deploy any Cisco or third-party network virtual service through a simple built-in native web user interface (WebUI), command-line interface (CLI), or representational state transfer (REST) API. Users can also use the standardized NetConf interface with software such as Cisco Network Services Orchestrator (NSO) or even OpenDaylight (ODL). Any or all management interfaces can be used. The Cloud Services Platform 2100 is shipping today as a network appliance.

Cisco Cloud Services Platform 2100 Native WebUI Dashboard

CSP 2100 dashboard GUI

 

Cisco Cloud Services Platform 2100 v1.0 Demo 

 

Cavium LiquidSecurity™ Family

The LiquidSecurity™ family provides a partitioned, centralized and elastic key management solution with the highest symmetric/bulk and asymmetric/transaction per sec performance. It addresses the high performance and security requirements for private key management and administration while also addressing elastic performance per virtual / network domain for the virtualized cloud environment. This product family is available as a PCI Express adapter with complete software and also as an appliance. Product options include FIPS 140-2 level 2 and 3 certified as well as non-FIPS. Feature details are as follows:

FIPS

• LiquidSecurity™ FIPS family provides performance that is at least 10 times higher than any other solution on the market today. This product family supports 35K 2048 bit RSA Ops/sec and 10 Gbps bulk encryption. In addition, multiple LiquidSecurity™ products can be pooled together to offer higher performance for large deployments.
• SSL handshake offloads for 32 domains – LiquidSecurity™ HSM product family supports 32 FIPS 140-2 Level 3 Partitions per appliance. Each partition functions as an independent and fully secure HSM.
• Hardware support for 2048 bit RSA key pair generation – robust key generation within the FIPS boundary is a critical component of the overall security this product family provides.

Non-FIPS

• LiquidSecurity™ non-FIPS family supports 130K 2048 bit RSA Ops/sec, 300K ECC ops/sec and 10 Gbps bulk encryption/sec. In addition, multiple LiquidSecurity™ products can be pooled together to offer higher performance for large deployments.
• SSL handshake offloads for 64 domains – LiquidSecurity™ solution provides 64 Partitions where each partition functions as an independent key store and key operation partition
• 2048 bit RSA key pair generation – Multi-thousands of 2048b key generation per sec.

Architecture - LiquidSecurity

 

Multiple Load Balancing vendors such as F5, A10, Kemp and traffic monitoring services such as ExtraHop have already announced support for the LiquidSecurity™ solution. Cisco and Cavium are actively working together to add several additional virtual network service vendors to this list.

“With the integration of Cavium’s LiquidSecurity™ into the CSP 2100 platform, Cisco customers will be able to flexibly and efficiently scale critical crypto performance and secure valuable crypto keys,” said Jim French, Distinguished Systems Engineer at Cisco.  “Because of their broad industry support, we have been partnering with Cavium to enhance SSL processing using the Nitrox® III adapter for over 3 years.  LiquidSecurity™ is the next logical step in that partnership.”

“This partnership enables the availability and support of the LiquidSecurity™ product family through Cisco’s global sales and support channels thus accelerating the adoption of LiquidSecurity™ for the target markets,” said Tejinder Singh, Marketing Director of Crypto Solutions at Cavium. “We are delighted to jointly bring this solution to the market.”

Availability

The LiquidSecurity™ solution on the CSP 2100 will be orderable from Cisco starting in late Q2CY16. Field trials will start before then. It will be fully supported by the Cisco Technical Assistance Center (TAC).

For More Information

For additional information about Cisco CSP 2100, visit http://www.cisco.com/go/csp

For additional information about Cavium LiquidSecurity™, visit http://www.cavium.com/LiquidSecurity-HSM.html



Authors

Gunnar Anderson

Product Manager

CNSG Product Management